Details of VAR-202401-0462

ID

VAR-202401-0462

CVE

CVE-2024-0579

TITLE

TOTOLINK of x2000r Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-001421

DESCRIPTION

A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452. Affected by this vulnerability is the function formMapDelDevice of the file /boafrm/formMapDelDevice. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250795. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of x2000r Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X2000R is a wireless router made by China Zeon Electronics (TOTOLINK) Company. The vulnerability originates from the failure of the macstr parameter of the formMapDelDevice function in the /boafrm/formMapDelDevice file to correctly filter special characters, commands, etc. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 2.16

sources: NVD: CVE-2024-0579 // JVNDB: JVNDB-2024-001421 // CNVD: CNVD-2024-06211

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-06211

AFFECTED PRODUCTS

vendor:	totolink	model:	x2000r	scope:	eq	version:	1.0.0-b20221212.1452	Trust: 1.0
vendor:	totolink	model:	x2000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	x2000r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	x2000r	scope:	eq	version:	x2000r firmware 1.0.0-b20221212.1452	Trust: 0.8
vendor:	zeon	model:	x2000r 1.0.0-b20221212.1452	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2024-06211 // JVNDB: JVNDB-2024-001421 // NVD: CVE-2024-0579

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-0579
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-0579
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2024-0579
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2024-06211
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2024-0579
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2024-06211
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-0579
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-0579
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2024-0579
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-06211 // JVNDB: JVNDB-2024-001421 // NVD: CVE-2024-0579 // NVD: CVE-2024-0579

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-001421 // NVD: CVE-2024-0579

PATCH

title:

Patch for TOTOLINK X2000R command injection vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/521651

Trust: 0.6

sources: CNVD: CNVD-2024-06211

EXTERNAL IDS

db:	NVD	id:	CVE-2024-0579	Trust: 3.2
db:	VULDB	id:	250795	Trust: 1.8
db:	JVNDB	id:	JVNDB-2024-001421	Trust: 0.8
db:	CNVD	id:	CNVD-2024-06211	Trust: 0.6

sources: CNVD: CNVD-2024-06211 // JVNDB: JVNDB-2024-001421 // NVD: CVE-2024-0579

REFERENCES

url:	https://vuldb.com/?id.250795	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-0579	Trust: 1.4
url:	https://github.com/jylsec/vuldb/blob/main/totolink/x2000r/1/readme.md	Trust: 1.0
url:	https://vuldb.com/?ctiid.250795	Trust: 1.0

sources: CNVD: CNVD-2024-06211 // JVNDB: JVNDB-2024-001421 // NVD: CVE-2024-0579

SOURCES

db:	CNVD	id:	CNVD-2024-06211
db:	JVNDB	id:	JVNDB-2024-001421
db:	NVD	id:	CVE-2024-0579

LAST UPDATE DATE

2024-08-14T15:20:45.050000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-06211	date:	2024-01-29T00:00:00
db:	JVNDB	id:	JVNDB-2024-001421	date:	2024-02-05T03:26:00
db:	NVD	id:	CVE-2024-0579	date:	2024-05-17T02:34:47.997

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-06211	date:	2024-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2024-001421	date:	2024-02-05T00:00:00
db:	NVD	id:	CVE-2024-0579	date:	2024-01-16T17:15:08.280